Security flaw in Siemens software alarms US government

The United States government is investigating an apparent security flaw in software provided by Canadian firm RuggedCom – a subsidiary of Siemens.

RuggedCom, which sells networking equipment designed to withstand harsh conditions, has had weaknesses in its products exposed by industrial systems security expert Justin Clarke, who claims to have discovered a way to spy on traffic moving through RuggedCom equipment, reports Reuters.

The firm’s systems are widely used by companies that deal with important communications to remote power stations. The manufacturer told Reuters it was investigating Clarke’s findings, but did not elaborate any further.

Amid fears that the flaw could enable hackers adept at spying on computer networks to access power plants and other critical systems, the US Department of Homeland Security said yesterday it was looking into the matter.

Highlighting the lack of restrictions he faced when compromising the system, Clarke warned, “If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you.”

Marcus Carey, who has worked within the US Navy Cryptologic Security Group, described the flaw as “a big deal,” because disabling communications networks could serve as a prelude to a much wider attack. “Since communications between these devices is critical, you can totally incapacitate an organization that requires the network,” he said.

This isn’t the first time RuggedCom’s services have had weaknesses laid bare by Clarke. An update to the firm’s operating system was found to have a ‘back door’ that Clarke said gave hackers remote access to the equipment with an easily obtained password.